Mailinglist Archive: opensuse (963 mails)

< Previous Next >
Re: [opensuse] I'm stuck - SSL Certs / email server
On 26.04.2011 04:47, Mihira Fernando wrote:
On 04/26/2011 12:24 AM, Dimstar / Dominique Leuenberger wrote:
On Fri, 2011-04-22 at 18:26 +0530, Mihira Fernando wrote:
On 04/22/2011 06:06 PM, Sandy Drobic wrote:
On 22.04.2011 06:37, Mihira Fernando wrote:
On 04/22/2011 04:09 AM, Jim Flanagan wrote:
Port 25 is for non SSL SMTP traffic. You cant expect it give you a SSL
connection. Port 465 is the SSL port for SMTP. This should be opened from
postfix master.cf.
Your information is outdated, port 465 is the deprecated SSL-Port. If the
client sends the EHLO command instead of the HELO, then the server can
offer
STARTTLS in its capabilities to the client. That initiates a TLS encrypted
connection.
True but so far the defacto standard is that port 25 is used not non
encrypted SMTP traffic. Running SSL or TLS only on port 25 is likely to
cause your server to loose mail as MTA - MTA mail delivery is still
largely non encrypted.
This is incorrect: tcp/25 can be TLS encrypted. TLS OPTIONAL of course,
if your server needs to receive mail from other servers (so if your SMTP
is a receiving Server).

There is hardly ANY Server out there still using SSL directly.

The usual thing for TLS OPTIONAL is to issue an ehlo, check for a
starttls command and issue it, changing to TLS.

Dominique

So exactly what in my statement earlier is incorrect ?

Your assumption was that encryption is mandantional and thus responsible for
rejecting mails that should be accepted. This is not the case with STARTTLS.
STARTTLS is an OPTION for the client.
The reason for this is downwards compatibility. A client may use HELO and
deliver mails without encryption, a client may use EHLO and MAY use STARTTLS
to encrypt the connection.

On the other side you may apply policies on your server like
- only allow mails from certain domains when the connection is encrypted
- only allow SMTP AUTH when the connection is encrypted
...

Port 465 is only useful for internal servers when the mails are sent from an
internal backend and the transport is set manually including the port. For
some strange reasons Domino does check port 465 when attempting to deliver
mails, though it could be a configuration upgrade problem since our system is
rather old and has seen quite a lot of version upgrades.

Sandy
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups